On Sun, 16 Sep 2001 16:24:30 -0400 (EDT) Dennis Murphy <dmurphy@nbvb.com> wrote: DM> The way I dealt with this in PHP is by writing a function to validate input DM> (i.e. Make sure there's nothing but an integer coming in as a parameter). DM> There's probably a half-dozen ways to rewrite this function more efficiently, DM> but at least it works... If speed is a concern, there are faster methods to validate GET/POST data. One is to cast to int in PHP, like: $query="select * from my_table where id=".((int)$id); However, there might be a problem if int is internally represented in lower precision in PHP than it is in SQL. Another method is to enclose the variable contents in quotes: $query="select * from my_table where id='".addslashes($id)."'"; -- Radu Constantin Rendec Web Solutions Manager iNES Advertising ( http://www.ines.ro )
